2021-03-25 11:22:04 +00:00
heat_template_version : wallaby
2016-06-15 06:46:44 +00:00
description : >
OpenStack Neutron openvswitch service
parameters :
2019-05-13 14:13:04 +00:00
ContainerOpenvswitchImage :
2016-06-15 06:46:44 +00:00
description : image
type : string
2019-05-13 14:13:04 +00:00
ContainerNeutronConfigImage :
2017-06-23 16:21:43 +00:00
description : The container image to use for the neutron config_volume
2017-05-12 12:56:13 +00:00
type : string
2018-04-11 10:23:22 +00:00
DockerOpenvswitchUlimit :
2019-04-09 08:26:27 +00:00
default : [ 'nofile=16384' ]
2018-04-11 10:23:22 +00:00
description : ulimit for Openvswitch Container
type : comma_delimited_list
2018-05-18 08:18:43 +00:00
NeutronOpenVswitchAgentLoggingSource :
type : json
default :
tag : openstack.neutron.agent.openvswitch
2019-07-03 09:49:46 +00:00
file : /var/log/containers/neutron/openvswitch-agent.log
2017-06-22 15:25:03 +00:00
ServiceData :
default : {}
description : Dictionary packing service data
type : json
2016-06-15 06:46:44 +00:00
ServiceNetMap :
default : {}
description : Mapping of service_name -> network name. Typically set
2021-04-08 11:01:10 +00:00
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
2016-06-15 06:46:44 +00:00
type : json
2017-02-24 11:27:58 +00:00
RoleName :
default : ''
description : Role name on which the service is applied
type : string
RoleParameters :
default : {}
description : Parameters specific to the role
2017-05-15 17:06:09 +00:00
type : json
2016-06-15 06:46:44 +00:00
EndpointMap :
default : {}
description : Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type : json
2020-01-22 18:46:12 +00:00
DeployIdentifier :
default : ''
type : string
description : >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
2018-03-08 14:13:42 +00:00
DockerPuppetMountHostPuppet :
type : boolean
default : true
description : Whether containerized puppet executions use modules from the baremetal host. Defaults to true. Can be set to false to consume puppet modules from containers directly.
2019-01-16 16:02:01 +00:00
PythonInterpreter :
type : string
description : The python interpreter to use for python and ansible actions
2020-03-03 11:20:15 +00:00
default : "$(command -v python3 || command -v python)"
2019-01-13 15:41:30 +00:00
NeutronEnableL2Pop :
type : string
description : Enable/disable the L2 population feature in the Neutron agents.
default : "False"
NeutronBridgeMappings :
description : >
The OVS logical->physical bridge mappings to use. See the Neutron
documentation for details. Defaults to mapping br-ex - the external
bridge on hosts - to a physical name 'datacentre' which can be used
to create provider networks (and we use this for the default floating
network) - if changing this either use different post-install network
scripts or be sure to keep 'datacentre' as a mapping network name.
type : comma_delimited_list
default : "datacentre:br-ex"
tags :
- role_specific
NeutronTunnelTypes :
default : 'vxlan'
description : The tunnel types for the Neutron tenant network.
type : comma_delimited_list
NeutronAgentExtensions :
default : "qos"
description : |
Comma-separated list of extensions enabled for the Neutron agents.
type : comma_delimited_list
NeutronEnableDVR :
2018-08-17 13:57:18 +00:00
default : ''
2019-01-13 15:41:30 +00:00
description : Enable Neutron DVR.
2018-08-17 13:57:18 +00:00
type : string
2019-01-13 15:41:30 +00:00
NeutronEnableARPResponder :
default : false
description : |
Enable ARP responder feature in the OVS Agent.
type : boolean
MonitoringSubscriptionNeutronOvs :
default : 'overcloud-neutron-ovs-agent'
type : string
NeutronOVSFirewallDriver :
default : ''
description : |
Configure the classname of the firewall driver to use for implementing
security groups. Possible values depend on system configuration. Some
examples are : noop, openvswitch, iptables_hybrid. The default value of an
empty string will result in a default supported configuration.
type : string
OvsHwOffload :
default : false
description : |
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
type : boolean
tags :
- role_specific
2019-03-28 03:58:34 +00:00
OvsDisableEMC :
default : false
description : |
Disable OVS Exact Match Cache.
type : boolean
tags :
- role_specific
2019-01-13 15:41:30 +00:00
NeutronOVSTunnelCsum :
default : false
description : |
Set or un-set the tunnel header checksum on outgoing IP packet
carrying GRE/VXLAN tunnel.
type : boolean
2019-07-09 12:48:44 +00:00
NeutronPermittedEthertypes :
default : [ ]
description : |
Set additional ethertypes to to be configured on neutron firewalls.
type : comma_delimited_list
2020-03-23 14:32:51 +00:00
NeutronOvsResourceProviderBandwidths :
description : >
Comma-separated list of <bridge>:<egress_bw>:<ingress_bw> tuples, showing
the available bandwidth for the given bridge in the given direction. The
direction is meant from VM perspective. Bandwidth is measured in kilobits
per second (kbps). The bridge must appear in bridge_mappings as the value.
type : comma_delimited_list
default : ""
tags :
- role_specific
2020-05-04 20:13:16 +00:00
NeutronEnableIgmpSnooping :
description : Enable IGMP Snooping.
type : boolean
default : false
2018-03-08 14:13:42 +00:00
2021-08-11 10:49:37 +00:00
NeutronOVSAgentLoggingRateLimit :
default : 100
description : |
Maximum number of packets logging per second
type : number
NeutronOVSAgentLoggingBurstLimit :
default : 25
description : |
Maximum number of packets per rate_limit
type : number
NeutronOVSAgentLoggingLocalOutputLogBase :
default : ''
description : |
Output logfile path on agent side, default syslog file
type : string
2018-03-08 14:13:42 +00:00
conditions :
2021-05-03 08:06:18 +00:00
firewall_driver_set :
not : {equals : [ {get_param : NeutronOVSFirewallDriver}, '']}
neutron_dvr_set :
not : {equals : [ {get_param : NeutronEnableDVR}, '']}
ethertypes_set :
not : {equals : [ {get_param : NeutronPermittedEthertypes}, []]}
2021-08-11 10:49:37 +00:00
network_log_local_output_log_base_set :
not : {equals : [ {get_param : NeutronOVSAgentLoggingLocalOutputLogBase}, '']}
2016-06-15 06:46:44 +00:00
resources :
2017-04-13 13:46:31 +00:00
ContainersCommon :
2019-04-05 16:16:13 +00:00
type : ../containers-common.yaml
2019-01-13 15:41:30 +00:00
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue :
type : OS::Heat::Value
properties :
type : json
value :
map_replace :
- map_replace :
- neutron::agents::ml2::ovs::bridge_mappings : NeutronBridgeMappings
vswitch::ovs::enable_hw_offload : OvsHwOffload
2019-03-28 03:58:34 +00:00
vswitch::ovs::disable_emc : OvsDisableEMC
2020-03-23 14:32:51 +00:00
neutron::agents::ml2::ovs::resource_provider_bandwidths : NeutronOvsResourceProviderBandwidths
2019-01-13 15:41:30 +00:00
- values : {get_param : [ RoleParameters]}
- values :
NeutronBridgeMappings : {get_param : NeutronBridgeMappings}
OvsHwOffload : {get_param : OvsHwOffload}
2019-03-28 03:58:34 +00:00
OvsDisableEMC : {get_param : OvsDisableEMC}
2020-03-23 14:32:51 +00:00
NeutronOvsResourceProviderBandwidths : {get_param : NeutronOvsResourceProviderBandwidths}
2017-04-13 13:46:31 +00:00
2019-01-13 15:41:30 +00:00
NeutronBase :
2019-04-22 13:52:04 +00:00
type : ./neutron-base.yaml
2016-06-15 06:46:44 +00:00
properties :
2017-01-04 03:21:44 +00:00
EndpointMap : {get_param : EndpointMap}
2017-06-22 15:25:03 +00:00
ServiceData : {get_param : ServiceData}
2016-06-15 06:46:44 +00:00
ServiceNetMap : {get_param : ServiceNetMap}
2017-02-24 11:27:58 +00:00
RoleName : {get_param : RoleName}
RoleParameters : {get_param : RoleParameters}
2016-06-15 06:46:44 +00:00
2017-10-09 10:01:07 +00:00
NeutronLogging :
type : OS::TripleO::Services::Logging::NeutronCommon
2018-02-09 09:49:39 +00:00
properties :
NeutronServiceName : openvswitch-agent
2017-10-09 10:01:07 +00:00
2016-06-15 06:46:44 +00:00
outputs :
role_data :
description : Role data for Neutron openvswitch service
value :
2019-01-13 15:41:30 +00:00
service_name : neutron_ovs_agent
2019-08-19 15:38:24 +00:00
firewall_rules :
'118 neutron vxlan networks' :
proto : 'udp'
dport : 4789
'136 neutron gre networks' :
proto : 'gre'
2019-01-13 15:41:30 +00:00
monitoring_subscription : {get_param : MonitoringSubscriptionNeutronOvs}
2017-10-09 10:01:07 +00:00
config_settings :
map_merge :
2019-01-13 15:41:30 +00:00
- get_attr : [ NeutronBase, role_data, config_settings]
- get_attr : [ RoleParametersValue, value]
2017-10-09 10:01:07 +00:00
- get_attr : [ NeutronLogging, config_settings]
2019-01-13 15:41:30 +00:00
- neutron::agents::ml2::ovs::l2_population : {get_param : NeutronEnableL2Pop}
neutron::agents::ml2::ovs::arp_responder : {get_param : NeutronEnableARPResponder}
neutron::agents::ml2::ovs::tunnel_types : {get_param : NeutronTunnelTypes}
neutron::agents::ml2::ovs::extensions : {get_param : NeutronAgentExtensions}
neutron::agents::ml2::ovs::tunnel_csum : {get_param : NeutronOVSTunnelCsum}
2020-05-04 20:13:16 +00:00
neutron::agents::ml2::ovs::igmp_snooping_enable : {get_param : NeutronEnableIgmpSnooping}
2021-06-15 08:24:47 +00:00
neutron::agents::ml2::ovs::resource_provider_default_hypervisor : "%{hiera('fqdn_canonical')}"
2019-01-13 15:41:30 +00:00
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
neutron::agents::ml2::ovs::local_ip :
str_replace :
template :
"%{hiera('$NETWORK')}"
params :
$NETWORK : {get_param : [ ServiceNetMap, NeutronTenantNetwork]}
2021-05-03 08:06:18 +00:00
neutron::agents::ml2::ovs::enable_distributed_routing :
if :
- neutron_dvr_set
- {get_param : NeutronEnableDVR}
neutron::agents::ml2::ovs::firewall_driver :
if :
- firewall_driver_set
- {get_param : NeutronOVSFirewallDriver}
neutron::agents::ml2::ovs::permitted_ethertypes :
if :
- ethertypes_set
- {get_param : NeutronPermittedEthertypes}
2021-08-11 10:49:37 +00:00
- neutron::agents::ml2::ovs::network_log_rate_limit : {get_param : NeutronOVSAgentLoggingRateLimit}
- neutron::agents::ml2::ovs::network_log_burst_limit : {get_param : NeutronOVSAgentLoggingBurstLimit}
- if :
- network_log_local_output_log_base_set
- neutron::agents::ml2::ovs::network_log_local_output_log_base : {get_param : NeutronOVSAgentLoggingLocalOutputLogBase}
2019-07-09 12:48:44 +00:00
2018-05-18 08:18:43 +00:00
service_config_settings :
map_merge :
2019-01-13 15:41:30 +00:00
- get_attr : [ NeutronBase, role_data, service_config_settings]
2019-07-03 09:49:46 +00:00
- rsyslog :
tripleo_logging_sources_neutron_ovs_agent :
2018-05-18 08:18:43 +00:00
- {get_param : NeutronOpenVswitchAgentLoggingSource}
2019-07-08 04:05:44 +00:00
- collectd :
tripleo.collectd.plugins.neutron_ovs_agent :
- ovs_events
- ovs_stats
2020-06-18 07:55:14 +00:00
collectd::plugin::ovs_events::socket : '/run/openvswitch/db.sock'
collectd::plugin::ovs_stats::socket : '/run/openvswitch/db.sock'
2017-03-01 03:09:31 +00:00
puppet_config :
config_volume : neutron
puppet_tags : neutron_config,neutron_agent_ovs,neutron_plugin_ml2
2019-01-13 15:41:30 +00:00
step_config : |
2020-04-09 12:07:34 +00:00
include tripleo::profile::base::neutron::ovs
2019-05-13 14:13:04 +00:00
config_image : {get_param : ContainerNeutronConfigImage}
2018-01-15 12:58:47 +00:00
# We need to mount /run for puppet_config step. This is because
# puppet-vswitch runs the commands "ovs-vsctl list open_vswitch ."
# when running vswitch::ovs::enable_hw_offload: true
# ovs-vsctl talks to the ovsdb-server (hosting conf.db)
# on the unix domain socket - /run/openvswitch/db.sock
volumes :
- /lib/modules:/lib/modules:ro
2019-11-26 12:26:45 +00:00
- /run/openvswitch:/run/openvswitch:shared,z
2017-01-04 02:57:14 +00:00
kolla_config :
2017-06-07 13:35:55 +00:00
/var/lib/kolla/config_files/neutron_ovs_agent.json :
2017-11-13 13:25:47 +00:00
command : /neutron_ovs_agent_launcher.sh
2017-06-21 14:02:55 +00:00
config_files :
- source : "/var/lib/kolla/config_files/src/*"
dest : "/"
merge : true
preserve_properties : true
2017-03-07 16:12:36 +00:00
permissions :
- path : /var/log/neutron
owner : neutron:neutron
recurse : true
2019-03-06 00:22:34 +00:00
container_config_scripts :
2017-11-13 13:25:47 +00:00
neutron_ovs_agent_launcher.sh :
mode : "0755"
2019-01-16 16:02:01 +00:00
content :
str_replace :
template : |
#!/bin/bash
set -xe
2020-06-18 10:00:48 +00:00
PYTHON -m neutron.cmd.destroy_patch_ports \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
--config-dir /etc/neutron/conf.d/common \
--config-dir /etc/neutron/conf.d/neutron-openvswitch-agent \
--log-file=/var/log/neutron/openvswitch-agent.log
/usr/bin/neutron-openvswitch-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
--config-dir /etc/neutron/conf.d/common \
--log-file=/var/log/neutron/openvswitch-agent.log
2019-01-16 16:02:01 +00:00
params :
PYTHON : {get_param : PythonInterpreter}
2016-06-15 06:46:44 +00:00
docker_config :
2017-08-14 22:26:24 +00:00
step_3 :
neutron_ovs_bridge :
detach : false
2019-05-13 14:13:04 +00:00
image : {get_param : ContainerNeutronConfigImage}
2017-08-14 22:26:24 +00:00
net : host
pid : host
user : root
privileged : true
2021-05-05 21:27:21 +00:00
security_opt :
- label=disable
2017-08-14 22:26:24 +00:00
command :
- puppet
- apply
- --modulepath
- /etc/puppet/modules:/usr/share/openstack-puppet/modules
- --tags
2018-01-15 12:58:47 +00:00
- file,file_line,concat,augeas,neutron::plugins::ovs::bridge,vs_config
2017-08-14 22:26:24 +00:00
- -v
- -e
- include neutron::agents::ml2::ovs
volumes :
list_concat :
- {get_attr : [ ContainersCommon, volumes]}
2021-05-03 08:06:18 +00:00
- - /var/lib/kolla/config_files/neutron_ovs_agent.json:/var/lib/kolla/config_files/config.json:ro
2019-12-04 06:47:19 +00:00
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
2017-08-14 22:26:24 +00:00
- /lib/modules:/lib/modules:ro
2019-11-26 12:26:45 +00:00
- /run/openvswitch:/run/openvswitch:shared,z
2021-05-03 08:06:18 +00:00
- if :
- {get_param : DockerPuppetMountHostPuppet}
2018-03-08 14:13:42 +00:00
- /usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro
2017-08-14 22:26:24 +00:00
environment :
2019-10-08 03:36:43 +00:00
KOLLA_CONFIG_STRATEGY : COPY_ALWAYS
2020-01-22 18:46:12 +00:00
TRIPLEO_DEPLOY_IDENTIFIER : {get_param : DeployIdentifier}
2017-01-04 03:21:44 +00:00
step_4 :
2017-06-07 13:35:55 +00:00
neutron_ovs_agent :
2017-11-28 19:15:14 +00:00
start_order : 10
2019-05-13 14:13:04 +00:00
image : {get_param : ContainerOpenvswitchImage}
2016-06-15 06:46:44 +00:00
net : host
pid : host
privileged : true
2021-05-05 21:27:21 +00:00
security_opt :
- label=disable
2016-06-15 06:46:44 +00:00
restart : always
2019-04-02 12:07:21 +00:00
depends_on :
2020-01-14 03:49:25 +00:00
- openvswitch.service
2019-05-15 18:37:58 +00:00
healthcheck : {get_attr : [ ContainersCommon, healthcheck_rpc_port]}
2018-04-11 10:23:22 +00:00
ulimit : {get_param : DockerOpenvswitchUlimit}
2016-06-15 06:46:44 +00:00
volumes :
2017-04-25 07:55:25 +00:00
list_concat :
- {get_attr : [ ContainersCommon, volumes]}
2017-10-09 10:01:07 +00:00
- {get_attr : [ NeutronLogging, volumes]}
2021-05-03 08:06:18 +00:00
- - /var/lib/kolla/config_files/neutron_ovs_agent.json:/var/lib/kolla/config_files/config.json:ro
2019-12-04 06:47:19 +00:00
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
2019-03-25 20:39:18 +00:00
- /var/lib/container-config-scripts/neutron_ovs_agent_launcher.sh:/neutron_ovs_agent_launcher.sh:ro
2017-04-25 07:55:25 +00:00
- /lib/modules:/lib/modules:ro
2019-11-26 12:26:45 +00:00
- /run/openvswitch:/run/openvswitch:shared,z
2016-06-15 06:46:44 +00:00
environment :
2019-10-08 03:36:43 +00:00
KOLLA_CONFIG_STRATEGY : COPY_ALWAYS
2018-03-08 15:59:14 +00:00
metadata_settings :
2019-01-13 15:41:30 +00:00
get_attr : [ NeutronBase, role_data, metadata_settings]
2018-08-07 13:11:04 +00:00
host_prep_tasks :
list_concat :
- {get_attr : [ NeutronLogging, host_prep_tasks]}
2021-05-03 08:06:18 +00:00
- - block :
2018-10-02 10:19:53 +00:00
- name : load openvswitch module
import_role :
2020-01-20 16:31:22 +00:00
name : tripleo_module_load
2018-10-02 10:19:53 +00:00
vars :
modules :
- name : openvswitch
2018-08-07 13:11:04 +00:00
- name : Copy in cleanup script
copy :
2019-01-13 15:41:30 +00:00
content : {get_file : ./neutron-cleanup}
2018-08-07 13:11:04 +00:00
dest : '/usr/libexec/neutron-cleanup'
force : yes
mode : '0755'
- name : Copy in cleanup service
copy :
2019-01-13 15:41:30 +00:00
content : {get_file : ./neutron-cleanup.service}
2018-08-07 13:11:04 +00:00
dest : '/usr/lib/systemd/system/neutron-cleanup.service'
force : yes
- name : Enabling the cleanup service
service :
name : neutron-cleanup
enabled : yes
2019-11-12 09:34:20 +00:00
- name : enable virt_sandbox_use_netlink for healthcheck
2019-01-10 12:56:56 +00:00
seboolean :
name : virt_sandbox_use_netlink
persistent : yes
state : yes
2018-02-09 02:14:15 +00:00
update_tasks :
# puppetlabs-firewall manages security rules via Puppet but make the rules
# consistent by default. Since Neutron also creates some rules, we don't
# want them to be consistent so we have to ensure that they're not stored
# into sysconfig.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
- name : Remove IPv4 iptables rules created by Neutron that are persistent
lineinfile : dest=/etc/sysconfig/iptables
regexp=".*neutron-"
state=absent
when : step|int == 5
- name : Remove IPv6 iptables rules created by Neutron that are persistent
lineinfile : dest=/etc/sysconfig/ip6tables
regexp=".*neutron-"
state=absent
when : step|int == 5